Fundamentals by Nevis: Usernameless Authentication

Usernameless Authentication

With so many services rendered and interactions taking place online, users have an inordinate number of accounts. And that means just as many usernames. Each time users log in on a different device, they have to authenticate with the correct username for each platform, app, and service. This is a tedious and time-consuming process that can easily be avoided.

Usernameless authentication lets customers approve transactions without first having to type in a username. Be it a standard platform login attempt, an identity verification process during an online or phone support session, et al., usernameless authentication gives users a smooth authentication experience that is both secure and convenient.

Benefits of Usernameless Authentication

Usernameless authentication eliminates the need to remember which username was used for which service. It also speeds up the login process, especially on mobile devices with their significantly smaller keyboards. But there are even more benefits to usernameless authentication:

Mitigate the risks associated with credential reuse: The widespread recycling of login credentials is an understandable response to the magnitude of usernames required nowadays. However, it leaves users (and companies!) susceptible to any number of cyberattack strategies, most notably credential stuffing. Eliminating the username eliminates this threat.

Decrease customer service expenses: Forgotten or compromised credentials account for nearly 50 percent of all customer service calls. This is time and money that can be better allocated.

Enhance the user experience: Thanks to the convenience and ease-of-use provided by usernameless authentication, users can seamlessly access their accounts and services without any hassle. This increases both satisfaction and productivity.

How Does Usernameless Authentication Work?

There are a number of possibilities to implement usernameless authentication. These may rely on QR codes, push codes, or biometrics Here are three examples:

QR-code: When attempting to login to a service provider portal on a desktop computer, the portal provides a QR-code. The user then scans this code using the service provider’s access app on their mobile device. When prompted, the user can use biometric authentication for proof of identity. Thereafter, the user is logged in, securely and without the need for a username.

Mobile device prompt: This method is especially helpful for authenticating a user during a customer service call. In this case, the customer service rep sends the customer a link on their mobile device. When the customer opens the link, it redirects to the access app, which then requests authentication. The customer service rep is informed that the authentication process was successful and can then securely continue any transactions.

As a precondition, the user has already been registered to the system and has installed and set up a branded access app on their mobile phone. Ideally, they used a biometric authentication method such as FaceID.

A user, currently unknown, wants to log into your website. You issue a QR-code that is tied to the log-in transaction, but has no user specified in it. The user scans the QR-code with the branded app on their phone, confirms that they want to log in and authenticate with their FaceID. In the background you keep polling the status end-point for this transaction with its token. While the user is still going through the motions, the transaction is still pending. But as soon as the authentication is successfully completed, the status endpoint returns a success data object that has the userId, and your back-end systems can link the successful transaction, the log-in, to that user account and give them access to your website.